Detecting phishing websites via a machine learning-based system using url feature hashes, html encodings and embedded images of content pages

ABSTRACT

Disclosed is phishing classifier that classifies a URL and content page accessed via the URL as phishing or not is disclosed, with URL feature hasher that parses and hashes the URL to produce feature hashes, and headless browser to access and internally render a content page at the URL, extract HTML tokens, and capture an image of the rendering. Also disclosed are an HTML encoder, trained on HTML tokens extracted from pages at URLs, encoded, then decoded to reproduce images captured from rendering, that produces an HTML encoding of the tokens extracted, and an image embedder, pretrained on images, that produces an image embedding of the image captured. Further, phishing classifier layers, trained on the feature hashes, the HTML encoding, and the image embedding, process the URL feature hashes, HTML encoding and image embeddings to produce a likelihood score that the URL and the page accessed presents a phishing risk.

CROSS REFERENCE

This application is a continuation of U.S. application Ser. No. 17/475,233, titled “Detecting Phishing Websites Via a Machine Learning-Based System Using URL Feature Hashes, HTML Encodings and Embedded Images of Content Pages,” filed 14 Sep. 2021, now U.S. Pat. No. 11,336,689, issued 17 May 2022 (Attorney Docket No, NSKO 1060-1.)

RELATED CASES

This application is related to the following applications which are incorporated by reference for all purposes as if fully set forth herein:

U.S. application Ser. No. 17/475,236, titled “A Machine Learning-Based system for Detecting Phishing Websites Using the URLs, Word encodings and Images of Content Pages,” filed 14 Sep. 2021 (Atty. Docket No. NSKO 1052-1); and

U.S. application Ser. No. 17/475,230, “Machine Learning-Based Systems and Methods of Using URLs And HTML Encodings for Detecting Phishing Websites,” filed 14 Sep. 2021 (Atty. Docket No. NSKO 1061-1).

This application is also related to the following applications which are incorporated by reference for all purposes as if fully set forth herein:

U.S. application Ser. No. 17/390,803, titled “Preventing Cloud-Based Phishing Attacks Using Shared Documents with Malicious Links,” filed 30 Jul. 2021 (Atty. Docket No. 1037-2) which is a continuation of U.S. application Ser. No. 17/154,978, titled “Preventing Phishing Attacks Via Document Sharing,” filed 21 Jan. 2021, now U.S. Pat. No. 11,082,445, issued 3 Aug. 2021 (Atty. Docket No. NSKO 1037-1).

INCORPORATIONS

The following materials are incorporated by reference in this filing:

“KDE Hyper Parameter Determination,” Yi Zhang et al., Netskope, Inc.

U.S. Non-Provisional application Ser. No. 15/256,483, entitled “Machine Learning Based Anomaly Detection,” filed Sep. 2, 2016 (Attorney Docket No. NSKO 1004-2) (now U.S. Pat. No. 10,270,788, issued Apr. 23, 2019);

U.S. Non-Provisional application Ser. No. 16/389,861, entitled “Machine Learning Based Anomaly Detection,” filed Apr. 19, 2019 (Attorney Docket No. NSKO 1004-3) (now U.S. Pat. No. 11,025,653, issued Jun. 1, 2021);

U.S. Non-Provisional application Ser. No. 14/198,508, entitled “Security For Network Delivered Services,” filed Mar. 5, 2014 (Attorney Docket No. NSKO 1000-3) (now U.S. Pat. No. 9,270,765, issued Feb. 23, 2016);

U.S. Non-Provisional application Ser. No. 15/368,240 entitled “Systems and Methods of Enforcing Multi-Part Policies on Data-Deficient Transactions of Cloud Computing Services,” filed Dec. 2, 2016 (Attorney Docket No. NSKO 1003-2) (now U.S. Pat. No. 10,826,940, issued Nov. 3, 2020) and U.S. Provisional Application 62/307,305 entitled “Systems and Methods of Enforcing Multi-Part Policies on Data-Deficient Transactions of Cloud Computing Services,” filed Mar. 11, 2016 (Attorney Docket No. NSKO 1003-1);

“Cloud Security for Dummies, Netskope Special Edition” by Cheng, Ithal, Narayanaswamy, and Malmskog, John Wiley & Sons, Inc. 2015;

“Netskope Introspection” by Netskope, Inc.;

“Data Loss Prevention and Monitoring in the Cloud” by Netskope, Inc.;

“The 5 Steps to Cloud Confidence” by Netskope, Inc.;

“Netskope Active Cloud DLP” by Netskope, Inc.;

“Repave the Cloud-Data Breach Collision Course” by Netskope, Inc.; and

“Netskope Cloud Confidence Index™” by Netskope, Inc.

FIELD OF THE TECHNOLOGY DISCLOSED

The technology disclosed generally relates to cloud-based security, and more specifically to systems and methods for detecting phishing websites, using the URLs, word encodings and images of the content pages. Also disclosed are methods and systems for using URL feature hashes, HTML encodings and embedded images of content pages. The disclosed technology further relates to detecting phishing in real time via URL links and downloaded HTML, through machine learning and statistical analysis.

BACKGROUND

The subject matter discussed in this section should not be assumed to be prior art merely as a result of its mention in this section. Similarly, a problem mentioned in this section or associated with the subject matter provided as background should not be assumed to have been previously recognized in the prior art. The subject matter in this section merely represents different approaches, which in and of themselves can also correspond to implementations of the claimed technology.

Phishing, sometimes called spearhead phishing, is on the rise. National news has been punctuated by misuse of documents obtained using passwords stolen by phishing. Typically, an email includes a link that looks legitimate, leading to a page that looks legitimate, and a user types in a password that the phishing attack compromises. A cleaver phishing site, like a credit card skimmer or shim at a gas pump or ATM, may forward the password entered to the real website and step out of the way, so the user does not detect the password theft when it happens. Working from home in recent times has led to a large increase in phishing attacks.

The term phishing refers to a number of methods to fraudulently acquire sensitive information over the web from unsuspecting users. Phishing arises, in part, from the use of increasingly sophisticated lures to fish for a company's confidential information. These methods are generally referred to as phishing attacks. Website users fall victim to phishing attacks when rendered web pages are mimicking the look of a legitimate login page. Victims of phishing attacks are lured into fraudulent websites, which results in sensitive information exposure such as bank accounts, login passwords, social security identities, etc.

According to the recent data breach investigation reports, the popularity of large attacks grounded in social engineering has increased. This could be in part due to increasing difficulty of exploits, and partially thanks to utilization of the advancement of machine learning (ML) algorithms to prevent and detect such exploits. As such, phishing attacks have become more frequent and sophisticated. Novel defensive solutions are needed.

An opportunity arises for using ML/DL for classifying a URL and a content page accessed via the URL as phishing or not phishing. An opportunity also emerges for classifying a URL and a content page accessed via the URL link and downloaded HTML as phishing or not phishing, in real time.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings, like reference characters generally refer to like parts throughout the different views. Also, the drawings are not necessarily to scale, with an emphasis instead generally being placed upon illustrating the principles of the technology disclosed. In the following description, various implementations of the technology disclosed are described with reference to the following drawings.

FIG. 1 illustrates an architectural level schematic of a system classifies a URL and a content page accessed via the URL as phishing or not phishing, in accordance with an implementation of the technology disclosed.

FIG. 2 illustrates a high level block diagram of disclosed phishing detection engine that utilizes ML/DL encoding of a URL feature hash, encoding of natural language (NL) words and encoding of a captured website image for detecting phishing sites.

FIG. 3 illustrates an example ResNet residual CNN block diagram for image classification, for reference.

FIG. 4 illustrates a high-level block diagram of a disclosed phishing detection engine that utilizes ML/DL with the URL feature hash, the encoding of the HTML extracted from the content page, and the embedding of the image captured from the content page of example URLs, each example URL accompanied by a ground truth classification as phishing or as not phishing, for detecting phishing sites.

FIG. 5 illustrates a reference residual neural network (ResNet) block diagram, which is pretrained for classification of images, prior to use in phishing detection engine.

FIG. 6 illustrates a high-level block diagram of a disclosed phishing detection engine 602 that utilizes ML/DL with a URL embedder and an HTML encoder.

FIG. 7 shows a precision recall graph for multiple disclosed phishing detection systems.

FIG. 8 illustrates the receiver operating characteristic curves (ROC) for disclosed systems for phishing website detection described herein.

FIG. 9 illustrates the receiver operating characteristic curve (ROC) for phishing website detection for the disclosed phishing detection engine that utilizes ML/DL with a URL embedder and an HTML encoder.

FIG. 10 illustrates a block diagram of the functionality for one dimensional 1D convolutional neural network (Conv1D) URL embedder that produces a URL embedding, with the C++ code expressed in open neural network exchange (ONNX) format.

FIG. 11 shows a block diagram of the functionality for disclosed html encoder, which results in html encoding which is input to phishing classifier layers.

FIG. 12A shows an overview block diagram for disclosed html encoder which results in html encoding which is input to phishing classifier layers.

FIG. 12B, FIG. 12C and FIG. 12D together illustrate a computation dataflow graph of the functionality for html encoder which results in html encoding which is input to phishing classifier layers 675, with the C++ code expressed in open neural network exchange (ONNX) format.

FIG. 12B shows one section of the dataflow graph in two columns, separated by a dotted line, with a connector at the bottom of the left column feeding into the top of the right column, illustrating the input encoding and positional embedding.

FIG. 12C illustrates a single iteration of multi-head attention, showing an example of a dataflow graph with compute nodes that asynchronously transmit data along data connections.

FIG. 12D shows the add and normalize and feedforward functionality using ONNX operations, illustrated using three columns, separated by dotted lines.

FIG. 13 illustrates a computation dataflow graph of the functionality for disclosed phishing classifier layers that generate likelihood score(s) that signal how likely it is that a specific website is a phishing website, with the code expressed in open neural network exchange (ONNX) format.

FIG. 14 is a simplified block diagram of a computer system that can be used for classifying a URL and a content page accessed via the URL as phishing or not phishing, in accordance with an implementation of the disclosed technology.

DETAILED DESCRIPTION

The following detailed description is made with reference to the figures. Sample implementations are described to illustrate the technology disclosed, not to limit its scope, which is defined by the claims. The discussion is presented to enable any person skilled in the art to make and use the technology disclosed, and is provided in the context of a particular application and its requirements. Various modifications to the disclosed implementations will be readily apparent to those of ordinary skill in the art, and the general principles defined herein may be applied to other implementations and applications without departing from the spirit and scope of the technology disclosed. Thus, the technology disclosed is not intended to be limited to the implementations shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.

The problem addressed by the disclosed technology is detection of phishing websites. Security forces attempt to catalogue phishing campaigns as they arise. Security vendors depend on lists of phishing websites to power their security engines. Both proprietary and open sources are available that catalogue phishing links. Two open source, community examples of phishing Universal Resource Locator (URL) lists are PhishTank and OpenPhish. Lists are used by security forces that analyze malicious links and generate signatures from malicious URLs. The signatures are used to detect malicious links, typically by matching part or all of a URL or a compact hash thereof. Generalization from signatures have been the main approach to stopping zero-day phishing attacks that hackers can use to attack systems. Zero-day refers to recently discovered security vulnerabilities that the vendor or developer has only just learned of and has zero days to fix.

Sometimes phishing campaigns end before the website at the phishing link can be analyzed, as phishers evade getting caught. Websites can be dismantled by phishers as quickly as they are posted to lists by security forces. Analysis of collected URLs is more reliably persistent than following malicious URLs to active phishing sites. The sites disappear as suddenly as they appear. In part due to disappearing sites, the state of the art has been to analyze URLs.

The technology disclosed applies machine learning/deep learning (ML/DL) to phishing detection with a very low false positive rate and good recall. Three transfer learning techniques are presented, based on text/image analysis and based on HTML analysis.

In the first technique, we use transfer learning by taking advantage of recent deep learning architectures for multilingual natural language understanding and computer vision, in order to embed the textual and visual contents of web pages. The first generation of applying ML/DL to phishing detection uses concatenated embeddings of web page text and web page images. We train a detection classifier, which uses the encoder function of models, such as the Bidirectional Encoder Representations from Transformers (BERT) and the decoder function of the residual neural network (ResNet), taking advantage of transfer learning from general training on embedding of text and images. Being trained on large amounts of data, the final layers of such models serve as reliable encodings for the visual and textual contents of web pages. Care is taken to reduce false positives, as benign, non-phishing links are far more abundant than phishing sites and blocking of non-phishing links is annoying.

The second technique of applying ML/DL to phishing detection creates a new encoder-decoder pair that counter-intuitively decodes an embedding of HTML to replicate rendering by a browser to a display. The embedding is, of course lossy. The decoding is much less precise than a browser accomplishes. An encoder-decoder approach to embedding HTML code facilitates transfer learning. Once the encoder has been trained to embed the HTML, a classifier replaces the decoder. Transfer learning based on embedding is practical with a relatively small training corpus. At present, as few as 20 k or 40 k examples of phishing page examples has proven sufficient to train a classifier of two fully connected layers, which processes embeddings. The second generation embedding of HTML can be enhanced by concatenating other embeddings, such as the ResNet image embedding, a URL feature embedding or both the ResNet image embedding and URL feature embedding.

The scale of new URLs however can hinder the real-time detection of web pages using their contents, due to the high computational complexity of deep learning architectures as well as the rendering time and parsing time of the contents of web pages.

A third generation of applying ML/DL to phishing detection classifies a URL and a content page accessed via the URL as phishing or not phishing using a URL embedder, an HTML encoder, and a phishing classifier layer, and can react in real time when a malicious web page is detected. This third technology effectively filters the suspicious URLs, using a trained, faster model without the need to visit any website. Suspicious URLs can also be routed to the first or second technology later for final detection.

Example systems for detecting phishing via URL links and downloaded HTML in offline mode and in real time are described next.

Architecture

FIG. 1 shows an architectural level schematic of a system 100 for detecting phishing via URL links and downloaded HTML. System 100 also includes functionality for detecting phishing via redirected or obscured URL links and downloaded HTML in real time. Because FIG. 1 is an architectural diagram, certain details are intentionally omitted to improve clarity of the description. The discussion of FIG. 1 will be organized as follows. First, the elements of the figure will be described, followed by their interconnections. Then, the use of the elements in the system will be described in greater detail.

FIG. 1 includes system 100 including the endpoints 166. User endpoints 166 may include devices such as computers 174, smart phones 176, and computer tablets 178, which provide access and interact with data stored on a cloud-based store 136 and cloud-based services 138. In another organization network, organization users may utilize additional devices. An inline proxy 144 is interposed between the user endpoints 166 and the cloud-based services 138 through the network 155 and particularly through a network security system 112 including a network administrator 122, network policies 132, an evaluation engine 152 and a data store 164, which will be described in more detail. The in-line proxy 144 is accessible through network 155, as part of the network security system 112. The in-line proxy 144 provides traffic monitoring and control between the user endpoints 166, the cloud-based store 136 and other cloud-based services 138. The in-line proxy 144 has active scanners 154, which collect HTML and snapshots of web pages and store the data sets in data store 164. When features can be extracted in real time from the traffic and snapshots are not collected from the live traffic, active scanners 154 are not needed for crawling the web page content at the URLs, as in the third-generation system of applying ML/DL to phishing detection. The three ML/DL systems for detecting phishing websites are described in detail below. The in-line proxy 144 monitors the network traffic between user endpoints 166 and cloud-based services 138, particularly to enforce network security policies including data loss prevention (DLP) policies and protocols. Evaluation engine 152 checks the database record of URLs deemed to be malicious, via the disclosed detecting of phishing websites, and these phishing URLs are automatically and permanently blocked.

For detecting phishing via URL links and downloaded HTML in real time, in-line proxy 144, positioned between the user endpoints 166 and the cloud-based storage platform, inspects and forwards incoming traffic to phishing detection engine 202, 404, 602, which are described below. The inline proxy 144 can be configured to sandbox the content corresponding to links and inspect/explore the links to make sure the pages pointed to by the URLs are safe, before allowing users to access the pages through the proxy. Links identified as malicious can then be quarantined, and inspected for threats utilizing known techniques, including secure sandboxing.

Continuing with the description of FIG. 1 , cloud-based services 138 includes cloud-based hosting services, web email services, video, messaging, and voice call services, streaming services, file transfer services, and cloud-based storage service. Network security system 112 connects to user endpoints 166 and cloud-based services 138 via public network 155. Data store 164 stores lists of malicious links and signatures from malicious URLs. The signatures are used to detect malicious links, typically by matching part or all of a URL or a compact hash thereof. data store 164 stores information from one or more tenants into tables of a common database image to form an on-demand database service (ODDS), which can be implemented in many ways, such as a multi-tenant database system (MTDS). A database image can include one or more database objects. In other implementations, the databases can be relational database management systems (RDBMSs), object-oriented database management systems (OODBMSs), distributed file systems (DFS), no-schema database, or any other data storing systems or computing devices. In some implementations, the gathered metadata is processed and/or normalized. In some instances, metadata includes structured data and functionality targets specific data constructs provided by cloud-based services 138. Non-structured data, such as free text, can also be provided by, and targeted back to cloud-based services 138. Both structured and non-structured data are capable of being stored in a semi-structured data format like a JSON (JavaScript Object Notation), BSON (Binary JSON), XML, Protobuf, Avro or Thrift object, which consists of string fields (or columns) and corresponding values of potentially different types like numbers, strings, arrays, objects, etc. JSON objects can be nested and the fields can be multi-valued, e.g., arrays, nested arrays, etc., in other implementations. These JSON objects are stored in a schema-less or NoSQL key-value metadata store 178 like Apache Cassandra™ Google's Bigtable™, HBase™, Voldemort™, CouchDB™, MongoDB™, Redis™ Riak™ Neo4j™, etc., which stores the parsed JSON objects using key spaces that are equivalent to a database in SQL. Each key space is divided into column families that are similar to tables and comprise of rows and sets of columns.

Continuing further with the description of FIG. 1 , system 100 can include any number of cloud-based services 138: point to point streaming services, hosted services, cloud applications, cloud stores, cloud collaboration and messaging platforms, and cloud customer relationship management (CRM) platforms. The services can include peer-to-peer file sharing (P2P) via protocols for portal traffic such as BitTorrent (BT), user data protocol (UDP) streaming and file transfer protocol (FTP); voice, video and messaging multimedia communication sessions such as instant message over Internet Protocol (IP) and mobile phone calling over LTE (VoLTE) via the Session Initiation Protocol (SIP) and Skype. The services can handle Internet traffic, cloud application data, and generic routing encapsulation (GRE) data. A network service or application, or can be web-based (e.g., accessed via a uniform resource locator (URL)) or native, such as sync clients. Examples include software-as-a-service (SaaS) offerings, platform-as-a-service (PaaS) offerings, and infrastructure-as-a-service (IaaS) offerings, as well as internal enterprise applications that are exposed via URLs. Examples of common cloud-based services today include Salesforce.com™, Box™, Dropbox™, Google Apps™ Amazon AWS™, Microsoft Office365™, Workday™, Oracle on Demand™, Taleo™, Yammer™, Jive™, and Concur™.

In the interconnection of the elements of system 100, network 155 couples computers, tablets and mobile devices, cloud-based hosting service, web email services, video, messaging and voice call services, streaming services, file transfer services, cloud-based storage service 136 and network security system 112 in communication. The communication path can be point-to-point over public and/or private networks. Communication can occur over a variety of networks, e.g. private networks, VPN, MPLS circuit, or Internet, and can use appropriate application program interfaces (APIs) and data interchange formats, e.g., REST, JSON, XML, SOAP and/or JMS. All of the communications can be encrypted. This communication is generally over a network such as the LAN (local area network), WAN (wide area network), telephone network (Public Switched Telephone Network (PSTN), Session Initiation Protocol (SIP), wireless network, point-to-point network, star network, token ring network, hub network, Internet, inclusive of the mobile Internet, via protocols such as EDGE, 3G, 4G LTE, Wi-Fi, and WiMAX. Additionally, a variety of authorization and authentication techniques, such as username/password, OAuth, Kerberos, SecureID, digital certificates, and more, can be used to secure the communications.

Further continuing with the description of the system architecture in FIG. 1 , network security system 112 includes data store 164 which can include one or more computers and computer systems coupled in communication with one another. They can also be one or more virtual computing and/or storage resources. For example, network security system 112 can be one or more Amazon EC2 instances and data store 164 can be Amazon S3™ storage. Other computing-as-service platforms such as Rackspace, Heroku or Force.com from Salesforce could be used rather than implementing network security system 112 on direct physical computers or traditional virtual machines. Additionally, one or more engines can be used and one or more points of presence (POPs) can be established to implement the security functions. The engines or system components of FIG. 1 are implemented by software running on varying types of computing devices. Example devices are a workstation, a server, a computing cluster, a blade server, and a server farm, or any other data processing system or computing device. The engine can be communicably coupled to the databases via a different network connection.

While system 100 is described herein with reference to particular blocks, it is to be understood that the blocks are defined for convenience of description and are not intended to require a particular physical arrangement of component parts. Further, the blocks need not correspond to physically distinct components. To the extent that physically distinct components are used, connections between components can be wired and/or wireless as desired. The different elements or components can be combined into single software modules and multiple software modules can run on the same processors.

Despite the best attempts of malicious actors, the contents and the appearance of phishing websites provide features that the disclosed deep learning models can utilize to reliably detect phishing websites. In the disclosed systems described next, we use transfer learning by taking advantage of recent deep learning architectures for multilingual natural language understanding and computer vision, in order to embed the textual and visual contents of web pages.

FIG. 2 illustrates a high-level block diagram 200 of disclosed phishing detection engine 202 that utilizes ML/DL with a URL feature hash, encoding of natural language (NL) words and embedding of a captured website image for detecting phishing sites. Disclosed phishing classifier layers 275 generate likelihood score(s) 285 that signal how likely it is that a specific website is a phishing website. Phishing detection engine 202 utilizes a Multilingual Bidirectional Encoder Representations from Transformers (BERT) model which supports over 100+ languages as encoder 264, and utilizes a residual neural network (ResNet50), for images as embedder 256, in one embodiment. URL feature hash 242, word encoding 265 and image embedding 257 then are passed to neural network phishing classifier layers 275 for final training and inference, as described below.

Encoders can be trained by pairing an encoder and a decoder. The encoder and decoder can be trained to squeeze the input into the embedding space, then reconstruct the input from the embedding. Once the encoder is trained, it can be repurposed, as described herein. Phishing classifier layers 275 utilize URL feature hash 242 of the URL n-gram, word encoding 265 of words extracted from the content page, and image embedding 257 of an image captured from content page 216 at URL 214 web address.

In one embodiment, phishing detection engine 202 utilizes feature hashing of content of webpages as well as security information present in the response headers, to complement the features available in both benign and phishing webpages. The content is expressed in JavaScript in one implementation. A different language, such as Python can be used in another embodiment. URL feature hasher 222 receives URL 214 and parses the URL into features and hashes the features to produce URL feature hash 242, resulting in dimensionality reduction of the URL n-gram. An example of domain features for a URL with headers plus security information is listed next.

  “scanned_url”: [  “http://alfabeek.com/” ], “header”: {  “date”: “Tue, 02 Mar 2021 15:30:27 GMT”,  “server”: “Apache”,  “last-modified”: “Tue, 08 Sep 2020 02:09:49 GMT”,  “accept-ranges”: “bytes”,  “vary”: “Accept-Encoding”,  “content-encoding”: “gzip”,  “content-length”: “23859”,  “content-type”: “text/html”}, “security_info”: [  {   “_subjectName”: “alfabeek.com”,   “_issuer”: “Sectigo RS A Domain Validation Secure Server CA”,   “_validFrom”: 1583107200,   “_validTo”: 1614729599,   “_protocol”: “TLS 1.3”,   “_sanList”: [    “alfabeek.com”,    “www.alfabeek.com”   ]

Continuing the description of FIG. 2 , headless browser 226 is configured to access content at the URL and internally render a content page, to extract words from the rendering of the content page and capture an image of at least part of the rendering of the content page. Headless browser 226 receives URL 214 which is the web address of content page 216 and extracts words from content page 216. Headless browser 226 provides extracted words 246 to natural language encoder 264, which generates an encoding from the extracted words: word encoding 265 in block diagram 200. Natural language (NL) encoder 264 is pretrained on natural language, producing an encoding of words extracted from the content page. Encoder 264 utilizes standard encoder, BERT for natural language, in one example embodiment. Encoders embed input that they process in a relatively low dimensionality embedding space. BERT embeds natural language passages in a 400 to 800 dimension embedding space. Transformer logic accepts natural language input and produces, in one instance, a 768-dimension vector that encodes and embeds the input. The dashed block outline of pretrained decoder 266 distinguishes is as pretrained. That is, BERT is trained prior to use for detecting phishing of URL 214. Encoder 264 produces word encoding 265 of words extracted from a content page being screened, for use by phishing classifier layers 275 to detect phishing. A different ML/DL encoder such as Universal Sentence Encoder can be utilized in a different implementation. A long short-term memory (LSTM) model could be utilized in a different embodiment.

Further continuing the description of FIG. 2 , headless browser 226 receives URL 214 which is the web address of content page 216 and captures an image of the web page, by mimicking a real user visiting the webpage, and taking a snapshot of the rendered web page. Headless browser 226 snapshots and provides captured image 248 to image embedder 256, which is pretrained on images, and produces an embedding of the image captured from the content page. Image embedding can increase efficiency and improve phishing detection for obfuscated cases. Embedder 256 encodes captured image 248 as image embedding 257. Embedder 256 utilizes a standard embedder, residual neural network (ResNet50), with pretrained classifier 258 for images, in one embodiment. A different ML/DL pre-trained image embedder such as Inception-v3, VGG-16, ResNet34 or ResNet-101 can be utilized in a different implementation. Continuing with the example embodiment, ResNet50 embeds an image, such as an RGB 224×224 pixel image, and produces a 248-dimension embedding vector that maps the image into the embedding space. The embedding space is much more compact than the original input. Pretrained ResNet50 embedder 256 produces image embedding 257 of a snapshot of the content page being screened, to be used for detecting phishing websites.

Phishing classifier layers 275, of disclosed phishing detection engine 202, are trained on the URL feature hashes, the encoding of the words extracted from the content page and the embedding of the image captures from the content page of example URLs, with each example URL accompanied by a ground truth classification as phishing or as not phishing. Phishing classifier layers 275 process the URL feature hash, word encoding and image embedding to produce at least one likelihood score that the URL and the content accessed via the URL represents a phishing risk. The likelihood score 285 signals how likely it is that the specific website is a phishing website. In one embodiment, the input size to phishing classifier layers 275 is 2048+768+1024, where the output of BERT is 768, the ResNet50 embedding size is 2048, and the size of feature hash over n-grams of URLs is 1024. Phishing detection engine 202 is highly suitable for semantically meaningful detection of phishing websites regardless of their language. The disclosed near real-time crawling pipeline captures the contents of new and suspicious webpages quickly, before they get invalidated, thus addressing the short life-cycle nature of phishing attacks, and this helps to accumulate a larger training dataset for continuous retraining of the prescribed deep learning architecture.

FIG. 3 illustrates a reference Bidirectional Encoder Representations from Transformers (BERT) block diagram that can be utilized for natural language classification of the words extracted from a web content page, such as is described relative to the block diagram shown in FIG. 2 above.

A second system for applying ML/DL to phishing detection takes advantage of image transfer learning and also uses Generative Pretraining (GPT) for learning HTML embeddings. This addresses the issue of having a limited phishing dataset and also provides better representation for the contents for HTML. Unlike the first approach, there is no need for a BERT text encoding. The HTML embedding network learns to represent the entire multimodal contents of HTML contents (text, JS, CSS, etc.) by a vector of 256 numbers. The theoretical foundation of this HTML embedding network is inspired by “Open AI Generative Pretraining From Pixels” published in Proceedings of the 37th International Conference on Machine Learning, PMLR 119:1691-1703, 2020

FIG. 4 illustrates a high-level block diagram 400 of a disclosed phishing detection engine 402 that utilizes ML/DL with the URL feature hash, the encoding of the HTML extracted from the content page, and the embedding of the image captured from the content page of example URLs, each example URL accompanied by a ground truth classification as phishing or as not phishing, for detecting phishing sites. Disclosed phishing classifier layers 475 produce as least one likelihood score 485 that the URL and the content accessed via the URL presents a phishing risk.

Phishing detection engine 402 uses URL feature hasher 422 that parses URL 414 into features and hashes the features to produce URL feature hash 442, resulting in dimensionality reduction of the URL n-gram. An example of domain features for a URL with headers plus security information is listed above.

Headless browser 426 extracts and provides HTML tokens 446 to HTML encoder 464. Phishing detection engine 202 utilizes disclosed HTML encoder 464, trained on HTML tokens 446 extracted from content pages at example URLs 416, encoded, then decoded to reproduce images captured from rendering of the content pages. Dashed lines distinguish training from later processing of active URLs, including the dashed line from captured image 448 to dashed block outline of generative trained decoder 466 that produces the rendered image of the page from the encoder embeddings. Learning the data distribution P(X) is very beneficial for subsequent supervised modeling of P(X|Y) where Y is the binary class of phishing and non-phishing and X is the HTML contents. HTML encoder 464 gets pre-trained using generative pre-training (GPT) in which unsupervised pre-training over a large volume of unsupervised data is utilized for learning the data distribution P(X) for subsequent supervised decision making with P(Y|X). Once HTML encoder 464 is trained, it can be repurposed. HTML encoder 464 produces an HTML encoding 465 of the HTML tokens 446 extracted from the content page 416.

HTML gets tokenized based on rules, and the HTML tokens 446 get passed to HTML encoder 464. Collaborative clearing houses for data and information about phishing on the Internet that provide open source, community examples of phishing URL lists include PhishTank, OpenPhish, MalwarePatrol and Kaspersky, which serve as sources for HTML files that have been identified as phishing websites. Negative samples, which do not include phishing, balance the data set in a proportion that represents current trends for phishing websites. The HTML encoder 464 gets trained using a large unlabeled data set of HTML and page snapshots, which are gathered by in-house active scanners 154. Because users of websites fall victim to attacks especially when malicious rendered pages are mimicking the look of a legitimate login page, the training objective forces the HTML encoder to learn to represent the HTML contents with respect to their rendered image.

For training, HTML encoder 464 is initialized with random initial parameters and parameters for the HTML. 700K HTML files in data store 164 were scanned and the resulting extraction of the top 10K tokens that represent a content page was used for configuring phishing detection engine 402 for classification that does not suffer from significant number of false positive results, in one embodiment. In one example content page, 800 valid tokens were extracted. In another example, 2K valid tokens were recognized, and in a third example, approximately 1K tokens were collected.

An HTML parser can be used to extract HTML tokens from a content page accessed via the URL, in another embodiment. Both headless browsers and HTML parsers can be configured to extract the HTML tokens that belong to a predetermined token vocabulary and ignore portions of the content that do not belong to the predetermined token vocabulary. Phishing detection engine 402 includes the headless browser configured to extract for production of HTML encodings of up to 64 of the HTML tokens, in one embodiment. 64 is a specific, configurable system parameter. The extraction can use up to 10 ms to render, in some cases. In another embodiment, the headless browser can be configured to extract for production of HTML encodings of up to 128, 256, 1024 or 4096 of the HTML tokens. The use of more tokens slows the training. Implementation of up to 2 k tokens has been accomplished. Training can be utilized to learn what sequential pattern of HTML tokens gives rise to a particular page view. A mathematical approximation is usable to learn what distribution of tokens to later use for better classification.

Continuing the description of FIG. 4 , an image embedder, pretrained on images, produces an image embedding of the image captured from the content pages. Pre-trained embedder coefficients enable cost-effective embedding in near real time. Headless browser 426 is configured to access content at the URL and internally render a content page. Headless browser 226 receives URL 414 which is the web address of content page 416 and captures an image of the web page, by mimicking a real user visiting the webpage, and taking a snapshot of the rendered web page. Headless browser 426 snapshots and provides captured image 448 to rendered image embedder 456, which is pretrained on images, and produces an embedding of the image captured from the content page. Image embedding can increase efficiency and improve phishing detection, which is especially useful for obfuscated cases. Embedder 456 encodes captured image 448 as image embedding 457. Rendered image embedder 456 utilizes a standard embedder, residual neural network (ResNet50), with pretrained classifier 458 for images, in one embodiment. A different ML/DL pre-trained image embedder such as Inception-v3, VGG-16, ResNet34 or ResNet-101 can be utilized in a different implementation. Continuing with the example embodiment, ResNet50 embeds an image, such as an RGB 224×224 pixel image, and produces a 2048-dimension embedding vector that maps the image into the embedding space. The embedding space is much more compact than the original input. Pretrained ResNet50 embedder 456 produces image embedding 457 of the image captured from the content page, to be used for detecting phishing websites. URL feature hash 442, HTML encoding 465 and image embedding 457 are passed to neural network phishing classifier layers 475 for final training and inference, as described next. The input size for the final classifier is 2048 (ResNet50 embedding size)+256 (encoding size of the HTML encoder)+1024 (size of feature hash over n-grams of URLs), in one embodiment. New phishing websites get submitted by a security team in an hourly fashion, in one production system. In one example phishing website, an HTML script starts, then blank sections are detected, and then the HTML script ends. The disclosed technology supports timely detection of new phishing websites.

Phishing classifier layers 475, of disclosed phishing detection engine 402, are trained on the URL feature hashes, the HTML encoding of the HTML tokens extracted from the content page and the embedding of the captured image from the content page of example URLs, with each example URL accompanied by ground truth 472 classification as phishing or as not phishing. After training, phishing classifier layers 275 process URL feature hash 442, HTML encoding 465 and image embedding 457 to produce at least one likelihood score 485 that the URL and the content accessed via the URL 414 presents a phishing risk. The likelihood score 485 signals how likely it is that the URL and the content accessed via the URL presents a phishing risk. Example pseudo-code for training the model is listed next, for classification loss, clf_loss, binary phishing or not, and the difference between what classifier expects to see and what it sees, Gen_loss.

  def training_step(self, batch, batch_idx):  html_tokens, snapshot, label, resnet_embed, domain_features = batch  # Tuning and classification  if self.classify:   embedding, logits = self.gpt(x, classify=True)   gen_loss = self.criterion(logits, y)   clf_logits = self.concat_layer(torch.cat([embedding, resnet_embed, domain_features], dim=1))   clf_loss = self.clf_criterion(clf_logits, label)  # joint loss for classification   loss = clf_loss + gen_loss # Generative pre-training  else:   generated_img = self.gpt(html_tokens)   loss = self.criterion(generated_img, snapshot)

FIG. 5 illustrates a reference residual neural network (ResNet) block diagram, which is pretrained for classification of images, prior to use in phishing detection engine 402.

With inline phishing, the web page is rendered on the user side at user endpoints 166, so a snapshot of the page is not available, so no ResNet is utilized, and the phishing detection classifier does not have access to header information for the content page. Next we describe a disclosed classifier system that utilizes a URL and HTML tokens extracted from a page to classify a URL and a content page accessed via the URL as phishing or not. This third system is particularly useful in a production environment when access to the snapshot of the visited content and to the header information is unavailable, and can operate in real time in a network security system.

Another disclosed classifier system applies ML/DL for classifying a URL and content accessed via the URL as phishing or not, when access to the snapshot of the visited content and to the header information is unavailable. FIG. 6 illustrates a high-level block diagram 600 of a disclosed phishing detection engine 602 that utilizes ML/DL with a URL embedder and an HTML encoder. The encoding of the HTML gets extracted from the content page of pointed to by a URL. Disclosed phishing classifier layers 675 produce as least one likelihood score 685 that the URL and the content accessed via the URL presents a phishing risk.

Phishing detection engine 602 uses URL link sequence extractor 622 that extracts characters in a predetermined character set from the URL 614 to produce a URL character sequence 642. One dimensional 1D convolutional neural network (Conv1D) URL embedder 652 produces a URL embedding 653. Prior to use for classifications, URL embedder 652 and URL classifier 654 are trained using example URLs accompanied by ground truth 632 that classifies the URL as phishing or as not phishing. The dashed block outline of trained URL classifier 654 distinguishes the training from later processing of active URLs. During training of URL embedder 652 the differences beyond the phishing classifier layers to embedding layers used to produce the URL embedding are back-propagated.

Continuing the description of the system 600 illustrated in FIG. 6 , phishing detection engine 602 also utilizes disclosed HTML encoder 664, which is trained using HTML tokens 646 parsed by HTML parser 636 from content pages at example URLs 616, encoded, then decoded to reproduce images captured from rendering of the content pages. Parsing extracts meaning from available metadata. In one implementation, tokenization operates as a first step of parsing to identify HTML tokens within a stream of metadata, and parsing then goes on to use the context that the token is found in to determine the meaning and/or the kind of information being referenced. HTML encoder 664 produces an HTML encoding 665 of the HTML tokens 646 extracted from the content page 616.

During training, headless browser 628 captures an image of a content page for a URL, for use in pre-training. The dashed line from captured image 648 to dashed block outline of generative trained decoder 668 that produces the rendered image of the page from the encoder embeddings, distinguishes the training from later processing of active URLs. For training, HTML encoder 664 is initialized with random initial parameters and parameters for the HTML. HTML encoder 664 gets pre-trained using generative pre-training in which unsupervised pre-training over a large volume of unsupervised data is utilized for learning the data distribution P(X) for subsequent supervised decision making with P(Y|X). Once HTML encoder 664 is trained, it gets repurposed for use in production. During training of encoder 664 the differences to encoding layers used to produce the HTML encodings are back-propagated beyond the phishing classifier layers. Training data includes 206,224 benign and 69,808 phishing pages in one embodiment.

Further continuing the description of the system 600, phishing classifier layers 675 are trained on URL embedding and the HTML encoding of example URLs, each example URL accompanied by the ground truth classification as phishing or as not phishing 632. During training of URL embedder 652, the differences to encoding layers used to produce the URL embedding 653 are back-propagated beyond the phishing classifier layers. That is, once HTML encoder 664 is pre-trained, the URL embedding 653 network is trained alongside the rest of network (classifier layers 675 and fine-tuning step of the HTML encoder 654) with loss function and the help of URL examples with ground truth 632 for the input information

After training, phishing classifier layers 675 process a concatenated input of the URL embedding 653 and the HTML encoding 665 to produce at least one likelihood score that the URL and the content accessed via the URL presents a phishing risk. Phishing detection engine 602 applies phishing classifier layers 675 to a concatenated input of the URL embedding and the HTML encoding, to produce at least one likelihood score 685 that the URL and the content accessed via the URL presents a phishing risk.

HTML parser 636 extracts HTML tokens from a content page accessed via the URL. HTML parser 636 is configurable to extract from the content the HTML tokens that belong to a predetermined token vocabulary and ignore portions of the content that do not belong to the predetermined token vocabulary, such as carriage returns and line feeds, in one example. In training for determining the number of HTML tokens to specify for training HTML encoder 664, a scan of 700K HTML files in data store 164 and the resulting extraction of the top 10K tokens that represent a content page was used for configuring phishing detection engine 602 for classification that does not suffer from significant number of false positive results, in one embodiment. In one example content page, 800 valid tokens were extracted, in another example, 2K valid tokens were recognized, and in a third example, approximately 1K tokens were collected. Training is used to learn what sequential pattern of HTML tokens gives rise to a specific content page.

For a real time phishing detection system that utilizes an inline implementation, care is taken to minimize the size of the vocabulary, for speed considerations. For phishing detection engine 602, HTML parser 636 is configured to extract for production of HTML encodings of up to 64 of the HTML tokens, in one embodiment. A different number of HTML encodings can be utilized in a different implementation. In another embodiment, the headless browser can be configured to extract for production of HTML encodings of up to 128, 256, 1024 or 4096 of the HTML tokens.

Phishing patterns evolve constantly, and it is often challenging for a detection method to achieve a high true positive rate (TPR) while maintaining a low false positive rate (FPR). A precision-recall curve shows the relationship between precision (=positive predictive value) and recall (=sensitivity) for the possible cut-offs.

FIG. 7 shows a precision recall graph for multiple disclosed phishing detection systems. Due to the requirement for almost no false positive detections, precision of results near the top of the graph is of interest, where precision is near 1.000. The curve with HTML plus URL plus header content is represented by the dotted line 746. Snapshot (ResNet) plus BERT, represented as a curve with long dashes 736, is more precise than HTML plus URL plus header content, and Snapshot represented as a solid curve 726 is the most precise phishing technique. BERT is computationally expensive, and the graph shows that BERT is not needed for obtaining precise phishing detection results.

FIG. 8 illustrates the receiver operating characteristic curves (ROC) for systems for phishing website detection described above. The ROC curves are plots of the true positive rate (TPR) as a function of the false positive rate (FPR) at various threshold settings. The area of interest is the area under the curve with very low FPR, because false positive identification of content pages as phishing websites is untenable. The ROC curves are useful for comparing the systems for detecting phishing websites described above. For phishing detection engine 202 the ROC curve labeled+Snapshot+Bert 836 and illustrated with long dashes shows results for the system that utilizes ML/DL with a URL feature hash, encoding of NL words and embedding of the captured website image. A second system, phishing detection engine 402 utilizes ML/DL with URL feature hashes, encoding of the HTML tokens extracted from the content page, and the embedding of the image captured from the content page for detecting phishing sites. The curve labeled+Snapshot 826 shows higher precision for the system, with fewer false positives than for HTML—URL—Header 846, whose curve is illustrated with dots.

Continuing the description of the ROC curves of FIG. 8 , with different combinations of features including the Multilingual Bert embeddings, a comparison illustrates that text embedding, such as BERT, hurts the efficacy of the model, perhaps due to the HTML encoder already taking the textual contents into account, so that including more text encodings can lead to overfitting over the text of the HTML pages. +Snapshot 826 has higher precision and leads to the least number of FPs in production. Moreover, the version of the model without image embeddings results in a system that can bypass the active scanner/headless browser function in environments such as runtime environments in which snapshots are unavailable. In one example, running headless browsers may be too costly and not scalable to a huge number of URLs faced in production environments. Moreover, sometimes the attackers can avoid detection in such environments.

FIG. 9 illustrates the receiver operating characteristic curve (ROC) for phishing website detection for phishing detection engine 602 that utilizes ML/DL with a URL embedder and an HTML encoder. The ROC curve 936 is a plot of the true positive rate (TPR) as a function of the false positive rate (FPR) at various threshold settings. ROC curve 936 illustrates that phishing detection engine 602 has a higher true positive rate than the phishing detection systems whose ROC curves are depicted in FIG. 8 .

URL embedder 652 and html encoder 664 of phishing detection engine 602 comprise high-level programs that have irregular memory access patterns or data dependent flow control. A high-level program is source code written in programming languages like C, C++, Java, Python, and Spatial. The high-level program can implement computing structures and algorithms of machine learning models like AlexNet, VGG Net, GoogleNet, ResNet, ResNeXt, RCNN, YOLO, SqueezeNet, SegNet, GAN, BERT, ELMo, USE, Transformer, and Transformer-XL. In one example, the high-level program can implement a convolutional neural network with several processing layers, such that each processing layer can include one or more nested loops. The high-level program can execute irregular memory operations that involve accessing inputs and weights and performing matrix multiplications between the inputs and the weights. The high-level program can include nested loops with high iteration count and loop bodies that load and multiply input values from a preceding processing layer with weights of a succeeding processing layer to produce an output for the succeeding processing layer. The high-level program can have loop-level parallelism of the outermost loop body, which can be exploited using coarse-grained pipelining. The high-level program can have instruction-level parallelism of the innermost loop body, which can be exploited using loop unrolling, single instruction, multiple data (SIMD) vectorization, and pipelining.

FIG. 10 illustrates a computation dataflow graph of the functionality for one dimensional 1D convolutional neural network (Conv1D) URL embedder 652 that produces URL embedding 653, with the C++ code expressed in open neural network exchange (ONNX) format. The URL inputs the first one hundred characters of the URL 1014 and uses a one hot encoding, in one example embodiment, resulting in a convolution block with weight 256×56×7 1024 (kernel size=7, like a sliding window) and generates a binary output for the multidimensional feature. The output with dimension 1×32×8 (1×256) 1064 represents the final URL embedding 653 generated as an input to phishing classifier layers 675.

FIG. 11 shows a diagram of the blocks of disclosed html encoder 664, which produces html encoding 665 as an input to phishing classifier layers 675. The HTML encoder architecture gets pre-trained with the help of a Convolutional decoder that reconstructs the image seen in the training data. The decoder is typically a Convolutional Neural Network (CNN. Training forces the HTML encoder to learn to represent the HTML contents with respect to their rendered image, therefore skipping irrelevant parts of the HTML. The training is aligned with the way phishing attacks are launched, where users fall victim to phishing attacks as long as the rendered pages are mimicking the look of a legitimate page. Next we describe an overview of the functionality of the blocks. Input embedding 1112 takes in the 64 HTML tokens extracted by HTML parser 636, as described earlier, and maps the HTML tokens to the vocabulary. Positional encoding 1122 adds contextual information for the vector of HTML tokens. Multi-head attention 1132 generates multiple self-attention vectors for identifying which elements of the input to focus on. Abstract vectors Q, K and V extract different components of the input and are used to calculate the attention vectors. The multi-attention vectors represent the relationship between the HTML vectors. Multi-head attention 1132 gets repeated four times in the illustrated computation dataflow graph described relative to FIG. 12A-D below, representing the quadratic multi-head attention. The number of heads can be doubled or made even larger, in a different embodiment. Multi-head attention 1132 passes the attention vectors to feed forward network 1162, one vector at a time. Feed forward network 1162 transforms the vectors for the next block. Each block ends with an add and normalize operation, depicted by add and normalize 1172, for smoothing and normalizing the layers across each feature, squeezing the HTML representation to 256 numbers that regenerate the image seen in training data. The output represents the final HTML encoding 665 generated as an input of 256 numbers to phishing classifier layers 675.

FIG. 12A shows an overview block diagram for disclosed html encoder 664 which results in html encoding 665 which is input to phishing classifier layers 675. Input encoding and positional embedding 1205 are described relative to FIG. 11 above, and a detailed ONNX listing is illustrated in FIG. 12B. Multi-head attention 1225 is described relative to FIG. 11 above and FIG. 12C shows a detailed ONNX image with inputs from the input encoding and positional embedding shown as inputs to the operator schemas for implementing the block from FIG. 12B. Add and normalize and feedforward 1245 are described relative to FIG. 11 also, with a detailed ONNX listing in FIG. 12D. FIG. 12A also includes Reduce Mean 1265 operator that reduces over the dimensions of the input tensor, computing the mean of the input tensor's element along the provided axes. HTML encoding 665 output is a 1×256 vector 1285 generated and mapped as an input to phishing classifier layers 675. Details of inputs, outputs and operations performed for ONNX operators are well known by those of skill in the art.

FIG. 12B, FIG. 12C and FIG. 12D together illustrate a computation dataflow graph of the functionality for html encoder 664 which results in html encoding 665 which is input to phishing classifier layers 675, with the C++ code expressed in open neural network exchange (ONNX) format. In another embodiment the ONNX code can express a different programming language.

FIG. 12B shows one section of the dataflow graph in two columns, separated by a dotted line, with a connector at the bottom of the left column feeding into the top of the right column. The results at the bottom of the right column of FIG. 12B feed into FIG. 12C and FIG. 12D. FIG. 12B illustrates the input encoding and positional embedding, as shown by gather operator 1264. For input embedding 1112, a gather block gathers data of dimension 64×256 1264.

FIG. 12C illustrates a single iteration of multi-head attention 1225, showing an example of a dataflow graph with compute nodes that asynchronously transmit data along data connections. The dataflow graph represents the so-called multi-head attention module of the Transformer model. In one embodiment, the dataflow graph shows a plurality of loops executing in parallel as separate processing pipelines to process input tensors across the plurality of processing pipelines, with a loop nest in which loops are arranged in a hierarchy of levels, such that a loop at a second level is within a loop at a first level, with gather and unsqueeze and concat operations. Gather operations (3 overall) refer to the use of the Query, Key and Value vectors in the multi-head attention layer. In this disclosed example of the model, two heads were utilized, resulting in concat operations for each of these vectors. In the illustrated embodiment, respective outputs of each of the processing pipelines are concatenated to produce concatenated outputs A2, B2, C2, D2. Outputs from the multi-head attention functionality feed into add and normalize and feedforward, as illustrated by A2, B2, C2, D2 at the bottom of FIG. 12C, and at the top of FIG. 12D.

FIG. 12D shows the add and normalize and feedforward 1245 functionality using ONNX operations. FIG. 12D is illustrated using three columns, separated by dotted lines, with the connector at the bottom of the left column feeding into the top of the middle column, and connectors at the bottom of the middle column feeding into the right column operations. Outputs of multi-head attention (shown in FIG. 12C) feed into the add and normalize and feedforward operations, and a SoftMax operation 1232 transforms the input vectors, normalizing into a probability distribution that is fed into matrix multiplier MatMul 1242. Outputs of add and normalize and feedforward 1245 Ax, Bx, Cx, Dx (shown in the bottom right corner of FIG. 12D) feed into Reduce Mean 1265 operator (FIG. 12A). Reduce Mean 1265 operator reduces over the dimensions of the input tensor (Ax, Bx, Cx, Dx), computing the mean of the input tensor's element along the provided axes. HTML encoding 665 output is a 1×256 vector 1285.

FIG. 13 illustrates a computation dataflow graph of the functionality for phishing classifier layers 675 that generate likelihood score(s) 685 that signal how likely it is that a specific website is a phishing website, with the C++ code expressed in open neural network exchange (ONNX) format. The input to phishing classifier layers 675 is of size 1×512 1314 formed by concatenating the URL embedding and the HTML encoding. The two concatenated vectors are 1×256 vector HTML encoding and URL embedding with dimension 1×32×8 (1×256), as described earlier. Batch normalization 1324 standardizes the inputs, as applied to the activations of the prior layer, and accelerates training. Operator GEneral Matrix Multiplication (GEMM) 1346, 1366 represents a linear algebra routine—a fundamental operator in DL. The outputs of the final two-layer feed forward classifier, size 1×2 1374, are the likelihood that the web page is a phishing site, and the likelihood that the web page is not a phishing site, for classifying the site as phishing or not phishing.

Computer System

FIG. 14 is a simplified block diagram of a computer system 1000 that can be used for classifying a URL and the content page accessed via the URL as phishing or not phishing. Computer system 1400 includes at least one central processing unit (CPU) 1472 that communicates with a number of peripheral devices via bus subsystem 1455, and network security system 112 for providing network security services described herein. These peripheral devices can include a storage subsystem 1410 including, for example, memory devices and a file storage subsystem 1436, user interface input devices 1438, user interface output devices 1476, and a network interface subsystem 1474. The input and output devices allow user interaction with computer system 1400. Network interface subsystem 1474 provides an interface to outside networks, including an interface to corresponding interface devices in other computer systems.

In one implementation, cloud-based security system 153 of FIG. 1 is communicably linked to the storage subsystem 1410 and the user interface input devices 1438.

User interface input devices 1438 can include a keyboard; pointing devices such as a mouse, trackball, touchpad, or graphics tablet; a scanner; a touch screen incorporated into the display; audio input devices such as voice recognition systems and microphones; and other types of input devices. In general, use of the term “input device” is intended to include all possible types of devices and ways to input information into computer system 1400.

User interface output devices 1476 can include a display subsystem, a printer, a fax machine, or non-visual displays such as audio output devices. The display subsystem can include an LED display, a cathode ray tube (CRT), a flat-panel device such as a liquid crystal display (LCD), a projection device, or some other mechanism for creating a visible image. The display subsystem can also provide a non-visual display such as audio output devices. In general, use of the term “output device” is intended to include all possible types of devices and ways to output information from computer system 1400 to the user or to another machine or computer system.

Storage subsystem 1410 stores programming and data constructs that provide the functionality of some or all of the modules and methods described herein. Subsystem 1478 can be graphics processing units (GPUs) or field-programmable gate arrays (FPGAs).

Memory subsystem 1422 used in the storage subsystem 1410 can include a number of memories including a main random access memory (RAM) 1432 for storage of instructions and data during program execution and a read only memory (ROM) 1434 in which fixed instructions are stored. A file storage subsystem 1436 can provide persistent storage for program and data files, and can include a hard disk drive, a floppy disk drive along with associated removable media, a CD-ROM drive, an optical drive, or removable media cartridges. The modules implementing the functionality of certain implementations can be stored by file storage subsystem 1436 in the storage subsystem 1410, or in other machines accessible by the processor.

Bus subsystem 1455 provides a mechanism for letting the various components and subsystems of computer system 1400 communicate with each other as intended. Although bus subsystem 1455 is shown schematically as a single bus, alternative implementations of the bus subsystem can use multiple busses.

Computer system 1400 itself can be of varying types including a personal computer, a portable computer, a workstation, a computer terminal, a network computer, a television, a mainframe, a server farm, a widely distributed set of loosely networked computers, or any other data processing system or user device. Due to the ever-changing nature of computers and networks, the description of computer system 1400 depicted in FIG. 14 is intended only as a specific example for purposes of illustrating the preferred embodiments of the present invention. Many other configurations of computer system 1400 are possible having more or fewer components than the computer system depicted in FIG. 14 .

Particular Implementations

Some particular implementations and features for classifying a URL and content accessed via the URL as phishing or not phishing are described in the following discussion.

In one disclosed implementation, a phishing classifier that classifies a URL and content accessed via the URL as phishing or not phishing includes a URL feature hasher that parses the URL into features and hashes the features to produce URL feature hashes, and a headless browser configured to extract words from a rendered content page and capture an image of at least part of the rendered content page. The disclosed implementation also includes a natural language encoder that produces a word encoding of the extracted words, an image embedder that produces an image embedding of the captured image, and phishing classifier layers that process a concatenated input of the URL feature hashes, the word encoding and the image embedding, to produce at least one likelihood score that the URL and the content accessed via the URL presents a phishing risk.

In another disclosed implementation, a phishing classifier that classifies a URL and content accessed via the URL as phishing or not phishing includes a URL feature hasher that parses the URL into features and hashes the features to produce URL feature hashes, and a headless browser configured to access content at the URL and internally render a content page, extract words from the rendering of the content page, and capture an image of at least part of the rendering of the content page. The disclosed implementation also includes a natural language encoder, pretrained on natural language, that produces a word encoding of the words extracted from the content page, and an image embedder, pretrained on images, that produces an image embedding of the image captured from the content page. The implementation further includes phishing classifier layers trained on the URL feature hashes, the word encoding, and the image embedding of example URLs, each example URL accompanied by a ground truth classification as phishing or as not phishing, that process a concatenated input of the URL feature hashes, the word encoding, and the image embedding of the URL to produce at least one likelihood score that the URL and the content accessed via the URL presents a phishing risk.

For some disclosed implementations of the phishing classifier, the natural language encoder is one of Bidirectional Encoder Representations from Transformers (abbreviated BERT) and Universal Sentence Encoder. The image embedder is one of residual neural network (abbreviated ResNet), Inception-v3 and VGG-16.

In one implementation, a disclosed computer-implemented method of classifying a URL and content accessed via the URL as phishing or not phishing includes applying a URL feature hasher, extracting features from the URL and hashing the features to produce URL feature hashes. The disclosed method also includes applying a natural language encoder, pretrained on natural language, that produces a word encoding of words parsed from a rendering of the content, and applying an image encoder, pretrained on images, that produces an image embedding of an image captured from at least part of the rendering. The disclosed method further includes applying phishing classifier layers trained on concatenations of the URL feature hashes, the word encoding, and the image embedding for example URLs accompanied by ground truth classifications as phishing or as not phishing, and processing the URL feature hashes, the word encoding, and the image embedding to produce at least one likelihood score that the URL and the content accessed via the URL presents a phishing risk.

The method described in this section and other sections of the technology disclosed can include one or more of the following features and/or features described in connection with additional methods disclosed. In the interest of conciseness, the combinations of features disclosed in this application are not individually enumerated and are not repeated with each base set of features. The reader will understand how features identified in this method can readily be combined with sets of base features identified as implementations.

One disclosed computer-implemented method further includes applying a headless browser for accessing the content via the URL and internally rendering the content, parsing words from the rendered the content, and capturing an image of at least part of the rendered content.

One embodiment of the disclosed computer-implemented method includes the natural language encoder as one of Bidirectional Encoder Representations from Transformers (BERT) and Universal Sentence Encoder. Some embodiments of the disclosed computer-implemented method also include the image embedder as one of residual neural network (ResNet), Inception-v3 and VGG-16.

One disclosed computer-implemented method of training phishing classifier layers to classify a URL and content accessed via the URL as phishing or not phishing includes receiving and processing for example URLs, URL feature hashes, a word encoding of words extracted from the content page, and an image embedding of an image captured from rendering of the content, to produce at least one likelihood score that each example URL and the content accessed via the URL presents a phishing risk. The method also includes calculating a difference between the likelihood score for each example URL and each corresponding ground truth that the example URL and the content page are phishing or not phishing and using differences for the example URLs to train coefficients of the phishing classifier layers. The method further includes saving the trained coefficients for use classifying a production URL and a content page accessed via the production URL as phishing or not phishing.

The disclosed computer-implemented method further includes not backpropagating the differences beyond the phishing classifier layers to encoding layers used to produce the word encoding, and not backpropagating the differences beyond the phishing classifier layers to embedding layers used to produce the image embedding.

The disclosed computer-implemented method also includes producing the URL feature hashes for each of the example URLs, producing the word encoding of words extracted from a rendering of the content page, and producing the image embedding of the image captured from the rendering.

For many disclosed computer-implementations, the disclosed method of training phishing classifier layers to classify a URL and content accessed via the URL as phishing or not phishing includes producing the word encoding using a Bidirectional Encoder Representations from Transformers (BERT) encoder or a variation on a BERT encoder, and producing the image embedding using one of a residual neural network (ResNet), Inception-v3 and VGG-16.

In one disclosed implementation, a phishing classifier that classifies a URL and content accessed via the URL as phishing or not phishing includes a URL feature hasher that parses the URL into features and hashes the features to produce URL feature hashes, and a headless browser configured to extract HTML tokens from a rendered content page and capture an image of at least part of the rendered content page. The disclosed classifier also includes an HTML encoder that produces an HTML encoding of the extracted HTML tokens, an image embedder that produces an image embedding of the captured image, and phishing classifier layers that process the URL feature hashes, HTML encodings and image embeddings to produce at least one likelihood score that the URL and the content accessed via the URL presents a phishing risk. In some implementations, the HTML tokens belong to a recognized vocabulary of HTML tokens.

In one implementation, a disclosed phishing classifier that classifies a URL and a content page accessed via the URL as phishing or not phishing, includes a URL feature hasher that parses the URL into features and hashes the features to produce URL feature hashes, and a headless browser configured to access content at the URL and internally render a content page, extract HTML tokens from the content page, and capture an image of at least part of the rendering of the content page. The disclosed phishing classifier also includes an HTML encoder, trained on HTML tokens extracted from content pages at example URLs, encoded, then decoded to reproduce images captured from rendering of the content pages, that produces an HTML encoding of the HTML tokens extracted from the content page. Also included is an image embedder, pretrained on images, that produces an image embedding of the image captured from the content page, and phishing classifier layers, trained on the URL feature hashes, the HTML encoding, and the image embedding of example URLs, each example URL accompanied by a ground truth classification as phishing or as not phishing, that process the URL feature hashes, HTML encoding and image embeddings of the URL to produce at least one likelihood score that the URL and the content page accessed via the URL presents a phishing risk.

Some implementations of the disclosed method further include the headless browser configured to extract from the content the HTML tokens that belong to a predetermined token vocabulary and ignore portions of the content that do not belong to the predetermined token vocabulary. Some disclosed implementations further include the headless browser configured to extract for production of HTML encodings of up to 64 of the HTML tokens.

One implementation of a disclosed method of classifying a URL and a content page accessed via the URL as phishing or not phishing includes applying a URL feature hasher, extracting features from the URL and hashing the features to produce URL feature hashes. The method also includes applying an HTML encoder, trained on natural language, that produces an HTML encoding of HTML tokens extracted from a rendered content page. The method further includes an image embedder, pretrained on images, that produces an image embedding of an image captured from at least part of the rendered content page, and applying phishing classifier layers trained on the URL feature hashes, the HTML encoding, and the image embedding for example URLs classified accompanied by ground truth classifications as phishing or as not phishing, and processing the URL feature hashes, the HTML encoding, and the image embedding of the URL, to produce at least one likelihood score that the URL and the content accessed via the URL presents a phishing risk. In one disclosed implementation, the method further includes applying a headless browser, accessing the content page via the URL and internally rendering the content page, parsing HTML tokens from the rendered content, and capturing an image of at least part of the rendered content.

Some disclosed implementations further include the headless browser parsing from the content the HTML tokens that belong to a predetermined token vocabulary and ignoring portions of the content that do not belong to the predetermined token vocabulary. Some implementations also include the headless browser parsing up to 64 of the HTML tokens for production of HTML encodings.

One implementation of a disclosed computer-implemented method of training phishing classifier layers to classify a URL and a content page accessed via the URL as phishing or not phishing includes receiving and processing for example URLs, URL feature hashes, HTML encodings of HTML tokens extracted from the content page, and an image embedding of an image captured from a rendering of the content page, to produce at least one likelihood score that each example URL and the content accessed via the URL presents a phishing risk. The method includes calculating a difference between the likelihood score for each example URL and each corresponding ground truth as to whether the example URL and the content page are phishing or not phishing, using the calculated differences for the example URLs to train coefficients of the phishing classifier layers, and saving the trained coefficients for use classifying a production URL and a content page accessed via the production URL as phishing or not phishing.

Some implementations of the disclosed method include back-propagating the differences beyond the phishing classifier layers to encoding layers used to produce the HTML encodings. Some implementations further include not back-propagating the differences beyond the phishing classifier layers to embedding layers used to produce the image embedding.

Some implementations also include producing the URL feature hashes for each of the example URLS, producing the HTML encoding of HTML tokens extracted from a rendering the content page, and producing the image embedding of the image captured from the rendering. Some implementations further include training an HTML encoder-decoder to produce the HTML encodings using, for second example URLs, HTML tokens extracted from content pages of the second example URLs, encoded then decoded to reproduce images captured from the content pages of the second example URLs. Some implementations of the disclosed method also include producing the image embedding using a ResNet embedder or a variation on a ResNet embedder that is pretrained to embed images in an embedding space.

One implementation of a disclosed phishing classifier that classifies a URL and a content page accessed via the URL as phishing or not phishing includes an input processor that accepts a URL for classification, a URL embedder that produces a URL embedding of the URL, an HTML parser that extracts HTML tokens from a content page accessed via the URL, an HTML encoder that produces an HTML encoding from the HTML tokens, and a phishing classifier layer that operates on the URL embedding and the HTML encoding to classify the URL and content accessed via the URL as phishing or not phishing.

Some implementations of the disclosed phishing classifier also include a URL embedder that extracts characters in a predetermined character set from the URL to produce a character string and that is trained using a ground truth classification of the URL as phishing or as not phishing, that produces a URL embedding. The classifier further includes an HTML parser configured to access content at the URL and extract HTML tokens from the content page. Also included are a disclosed HTML encoder trained on HTML tokens extracted from content pages at example URLs, each example URL accompanied by a ground truth image captured from the content page accessed via the example URL, that produces an HTML encoding of the HTML tokens extracted from the content page, and phishing classifier layers trained on the URL embedding and the HTML encoding of example URLs, each example URL accompanied by the ground truth classification as phishing or as not phishing, that processes a concatenated input of the URL embedding and the HTML encoding to produce at least one likelihood score that the URL and the content accessed via the URL presents a phishing risk.

For some implementations of the disclosed phishing classifier, the input processor accepts the URL for classification in real time. In many implementations of the disclosed phishing classifier the phishing classifier layer operates to classify the URL and content accessed via the URL as phishing or not phishing in real time. In some implementations, the disclosed phishing classifier further includes the HTML parser configured to extract from the content page the HTML tokens that belong to a predetermined token vocabulary and ignore portions of the content page that do not belong to the predetermined token vocabulary, and can further include the HTML parser configured to extract for production of HTML encodings of up to 64 of the HTML tokens.

One implementation of a disclosed computer-implemented method of classifying a URL and a content page accessed via the URL as phishing or not phishing includes applying a URL embedder, extracting characters in a predetermined character set from the URL to produce a character string and producing a URL embedding, and training and using a ground truth classification of the URL as phishing or as not phishing, that produces a URL embedding. The method also includes applying an HTML parser to access content at the URL and extract HTML tokens from the content page, applying an HTML encoder to produce an HTML encoding of the extracted HTML tokens, and applying phishing classifier layers to a concatenated input of the URL embedding and the HTML encoding, to produce at least one likelihood score that the URL and the content accessed via the URL presents a phishing risk. Some implementations also include the HTML parser extracting from the content page the HTML tokens that belong to a predetermined token vocabulary and ignoring portions of the content page that do not belong to the predetermined token vocabulary, and can further include. the HTML parser extracting for production of HTML encodings of up to 64 of the HTML tokens. The disclosed method can also include applying the URL embedder, the HTML parser, the HTML encoder and the phishing classifier layers in real time. In some cases the phishing classifier layers operate to produce at least one likelihood score that the URL and the content accessed via the URL presents a phishing risk in real time.

One implementation of a disclosed computer-implemented method of training phishing classifier layers to classify a URL and a content page accessed via the URL as phishing or not phishing includes receiving and processing for example URLs and content pages accessed via the URLs, a URL embedding of characters extracted from the URLs and HTML encodings of HTML tokens extracted from the content pages, to produce at least one likelihood score that each example URL and the content page accessed via the URL presents a phishing risk. The disclosed method also includes calculating a difference between the likelihood score for each example URL and each corresponding ground truth that the example URL and the content page are phishing or not phishing, using differences for the example URLs to train coefficients of the phishing classifier layers, and saving the trained coefficients for use classifying a production URL and a content page accessed via the production URL as phishing or not phishing.

Some implementations of the disclosed method further include applying a headless browser, accessing content at the URL and internally rendering a content page, and capturing an image of at least part of the content page. The disclosed method can further include back-propagating the differences beyond the phishing classifier layers to encoding layers used to produce the HTML encodings, and can further include back-propagating the differences beyond the phishing classifier layers to embedding layers used to produce the URL embedding.

Some implementations of the disclosed method further include producing the URL embeddings of the characters extracted from the example URLs, and producing the HTML encodings of HTML tokens extracted from the content pages accessed via the example URLs, and producing the image embedding of the image captured from the rendering.

Some implementations of the disclosed method further include training an HTML encoder-decoder to produce the HTML encodings using, for second example URLs, HTML tokens extracted from content pages of the second example URLs, encoded then decoded to reproduce images captured from the content pages of the second example URLs. The disclosed method can further include extracting from the content page the HTML tokens that belong to a predetermined token vocabulary and ignoring portions of the content page that do not belong to the predetermined token vocabulary. The method can also include limiting the extraction to a predetermined number of the HTML tokens, and can further include producing HTML encodings of up to 64 of the HTML tokens.

Other implementations of the methods described in this section can include a tangible non-transitory computer readable storage medium impressed with computer program instructions that, when executed on processors cause the processors to perform any of the methods described above. Yet another implementation of the methods described in this section can include a device including memory and one or more processors operable to execute computer instructions, stored in the memory, to perform any of the methods described above.

Any data structures and code described or referenced above are stored according to many implementations on a computer readable storage medium, which may be any device or medium that can store code and/or data for use by a computer system. This includes, but is not limited to, volatile memory, non-volatile memory, application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), magnetic and optical storage devices such as disk drives, magnetic tape, CDs (compact discs), DVDs (digital versatile discs or digital video discs), or other media capable of storing computer-readable media now known or later developed.

The preceding description is presented to enable the making and use of the technology disclosed. Various modifications to the disclosed implementations will be apparent, and the general principles defined herein may be applied to other implementations and applications without departing from the spirit and scope of the technology disclosed. Thus, the technology disclosed is not intended to be limited to the implementations shown but is to be accorded the widest scope consistent with the principles and features disclosed herein. The scope of the technology disclosed is defined by the appended claims. 

What is claimed is:
 1. (canceled)
 2. A phishing classifier that classifies a universal resource locator (URL) and a content page accessed via the URL as phishing or not phishing, including: a URL feature hasher that parses the URL into features and hashes the features to produce URL feature hashes; an HTML encoder, trained on HTML tokens: extracted from content pages at example URLs, encoded into an embedding space, which is then decoded to reproduce images captured from rendering of content pages, that produces an HTML encoding of the HTML tokens extracted from a content page; and phishing classifier layers, trained on URL feature hashes, and HTML encodings, of the example URLs, each example URL accompanied by a ground truth classification as phishing or as not phishing, that process the URL feature hashes, and the HTML encoding of the URL to produce at least one likelihood score that the URL and the content page accessed via the URL presents a phishing risk.
 3. The phishing classifier of claim 2, wherein training included back-propagating the differences beyond the phishing classifier layers to encoding layers used to produce the HTML encodings.
 4. The phishing classifier of claim 2, wherein training included not back-propagating the differences beyond the phishing classifier layers to embedding layers used to produce the image embedding.
 5. The phishing classifier of claim 2, further including an HTML encoder-decoder to produce the HTML encodings using, for second example URLs, HTML tokens extracted from content pages of the second example URLs, encoded then decoded to reproduce images captured from the content pages of the second example URLs.
 6. The phishing classifier of claim 2, further including an image embedder, pretrained on images, that produces an image embedding of the image captured from the content page.
 7. The phishing classifier of claim 6, wherein the image embedder is a ResNet embedder or a variation on a ResNet embedder that is pretrained to embed images in an embedding space.
 8. A non-transitory computer readable storage medium impressed with computer program instructions for classifying a universal resource locator (URL) and a content page accessed via the URL as phishing or not phishing, the instructions, when executed on a processor, implement actions comprising: using a URL feature hasher that parses the URL into features and hashes the features to produce URL feature hashes; using an HTML encoder, trained on HTML tokens: extracted from content pages at example URLs, encoded into an embedding space, which is then decoded to reproduce images captured from rendering of content pages, that produces an HTML encoding of the HTML tokens extracted from a content page; using phishing classifier layers, trained on URL feature hashes, and HTML encodings, of the example URLs, each example URL accompanied by a ground truth classification as phishing or as not phishing, that process the URL feature hashes, and the HTML encoding of the URL to produce at least one likelihood score that the URL and the content page accessed via the URL presents a phishing risk.
 9. The non-transitory computer readable storage medium claim 8, wherein training included back-propagating the differences beyond the phishing classifier layers to encoding layers used to produce the HTML encodings.
 10. The non-transitory computer readable storage medium claim 8, wherein training included not back-propagating the differences beyond the phishing classifier layers to embedding layers used to produce the image embedding.
 11. The non-transitory computer readable storage medium claim 8, further including an HTML encoder-decoder to produce the HTML encodings using, for second example URLs, HTML tokens extracted from content pages of the second example URLs, encoded then decoded to reproduce images captured from the content pages of the second example URLs.
 12. The non-transitory computer readable storage medium claim 8, further including using a headless browser.
 13. The non-transitory computer readable storage medium claim 8, further including using an image embedder, pretrained on images, that produces an image embedding of the image captured from the content page.
 14. The non-transitory computer readable storage medium claim 13 wherein the image embedder is a ResNet embedder or a variation on a ResNet embedder that is pretrained to embed images in an embedding space.
 15. A computer-implemented method of classifying a URL and a content page accessed via the URL as phishing or not phishing, including: a URL link sequence extractor that extracts characters in a predetermined character set from the URL to produce a URL character sequence; a URL embedder that produces a URL embedding of the URL character sequence; an HTML encoder, pretrained on HTML tokens: extracted from content pages at example URLs, encoded into an embedding space, which is then decoded to reproduce images captured from rendering of the content pages, that produces an HTML encoding of the HTML tokens extracted from the content pages; and phishing classifier layers, trained on URL embedding and HTML encodings, each example URL accompanied by a ground truth classification as phishing or as not phishing, that process the URL embedding and the HTML encodings to produce at least one likelihood score that the URL and the content page accessed via the URL presents a phishing risk.
 16. The computer-implemented method of claim 15, wherein training included back-propagating the differences beyond the phishing classifier layers to encoding layers used to produce the HTML encodings.
 17. The computer-implemented method of claim 15, wherein training included not back-propagating the differences beyond the phishing classifier layers to embedding layers used to produce the image embedding.
 18. The computer-implemented method of claim 15, further including an HTML encoder-decoder to produce the HTML encodings using, for second example URLs, HTML tokens extracted from content pages of the second example URLs, encoded then decoded to reproduce images captured from the content pages of the second example URLs.
 19. The computer-implemented method of claim 15, further including using a headless browser.
 20. The computer-implemented method of claim 15, further including using an image embedder, pretrained on images, that produces an image embedding of the image captured from the content page.
 21. The computer-implemented method of claim 20 wherein the image embedder is a ResNet embedder or a variation on a ResNet embedder that is pretrained to embed images in an embedding space. 